Tuesday, June 30, 2009

No Cisco Live - But, there's always VMWorld!

VMworld 2007Image by mtellin via Flickr

I couldn't make it to Cisco Live this year, because I had to hold the fort down so my co-worker could go. So, now I begin my journey toward attending VMWorld. Would you like to see my initial request to my supervisor? I hope it works. I would really hate to be forced to grovel...

'Boss',

I missed out on Cisco Live this year, so 'co-worker' could go. I hope he has fun, but I’m kind of selfish, and jealous, and “fill in the blank”. Really, I’m abnormally/excessively green with envy. Totally out of character for myself, and I’m really having a difficult time with it. I mean, it’s only once a year that a Cisco guy gets to rub shoulders with 10,000 other pin heads, and socially inept engineers.

I’m considering therapy.

Anyway, while you visualize that, think about this: Cisco will have a large presence at VMWorld. This conference will be held in San Francisco August 31st to September 3rd.

If possible, I would like to make arrangements to attend this training opportunity.

Attending this event would be cheaper than therapy!

Thursday, June 18, 2009

Cisco ASA IPSec VPN Hairpinning

Film poster for Firewall (film) - Copyright 20...Image via Wikipedia

I've been playing around with a Site-to-Site IPSec VPN between a Fortigate and a Cisco ASA. It's been fun getting everything working the way it should. But, my latest challenge was to allow remote access VPN users connecting to the Cisco ASA to connect to resources behind the Fortigate over the site-to-site VPN connection.

The Cisco ASA does not allow a packet to leave the same interface on which it was originally received. This makes sense for a firewall. But, this is exactly what I needed it to do.

That's when we need IPSec Hairpinning to get everything working.

The command to get this working is 'same-security-traffic permit intra-interface'.

When using this command, it's important to remember that the ASA applies firewall rules before sending traffic out to the same interface.

You can get more information about this feature at this Cisco document.

Having another LAN-to-LAN VPN issue? Cisco document id 81824 provides help to troubleshoot the most common L2L issues.
Reblog this post [with Zemanta]

Test AAA Authentication on Cisco ASA


Have you ever been in a situation where you have configured AAA authentication on your Cisco ASA firewall, but you're not sure if it's working?

It can be difficult to determine if there is a problem with the ASA configuration or with the AAA server.

There is an excellent command on the Cisco ASA that allows you to test AAA authentication from the command line. The command is:

test aaa-server {authentication | authorization} server-tag [host server-ip]

An example of this command is included below. The first couple of lines show my AAA authentication configuration. And, the next commands show the 'test aaa authentication' command in action. The first attempt is with properly entered credentials. The second attempt is with improperly entered credentials.


Reblog this post [with Zemanta]

Wednesday, June 3, 2009

Learning a Second Language - JUNOS

I'm about to start an MPLS project that requires the use Juniper routers, but I'm a Cisco guy. I don't know anything about JUNOS.

Well, fortunately, Juniper is making it a little easier to get comfortable with their OS with a nice training class.

If you are new to JUNOS and would like a high-level walk through, check out the "JUNOS as a Second Language" training site.